Steps

I recently created a SAML 2.0 Service Provider using PHP. I used the AuthnRequest Protocol with HTTP-POST binding. This was done to help me understand the basic SAML 2.0 exchanges between a Service Provider and an Identity Provider.

Here is an exhaustive analysis of my Service Provider logs that I created.

The service provider that I created had the url of: http://saml20.abilityweb.us

I have a user created on the SSO Circle Identity Provider. I added my test Service Provider to my SSO Circle account as an authorized service provider. During that process I uploaded the following meta data to the SSO Circle Identity Provider for my PHP Service Provider:

1
2
3
4
5
6
7
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"  entityID="http://saml20sp.abilityweb.us">  
    <SPSSODescriptor AuthnRequestsSigned="false"  WantAssertionsSigned="false"  protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
        <SingleLogoutService  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  Location="http://saml20sp.abilityweb.us/spdbg/sp_logout.php"  />
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
            <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://saml20sp.abilityweb.us/spdbg/sp.php"/>
  </SPSSODescriptor>
</EntityDescriptor>

I chose to use the HTTP-POST binding along with the AuthnRequest Protocol for SAML Authentication

My url that is supposed to process the response to my AuthnRequest is: http://saml20sp.abilityweb.us/spdbg/home.php

My AuthnRequest that was generated by the test Service Provider I created looked like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec" Version="2.0"
  IssueInstant="2010-04-08T13:44:41Z" ForceAuthn="false" IsPassive="false"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="http://saml20sp.abilityweb.us/spdbg/sp.php">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://saml20sp.abilityweb.us
  </saml:Issuer>
  <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    SPNameQualifier="http://saml20sp.abilityweb.us" AllowCreate="true">
  </samlp:NameIDPolicy>
  <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The request is then DEFLATED:

1
2
3
ùS—nõ0}ÔW ø'BîŒ
HY™ië∫ç%¨{3Ê“X2∂ÁköÙÔg”¥ã¥äJy··r8˜‹s+dù4t›ªÉ⁄¡ü–E—©ì
È&'ΩUT3HÎ

Then it is encoded in Base64 encoding and also URL encoded:

1
nVPRbpswFH3vVyC%2FJxBClM4KSFmqaZG6jSWsD3sz5tJYMrbna5r072fTtIu0ikp54eFyOPfccw4rZJ00dN27g9rBnx7QRdGpkwrp8CYnvVVUMxRIFesAqeN0v%2F52T9NpQo3VTnMtyc32LidZfcubhKWQtBmH%2Bad5yhawqJc1a1iatstmOa%2BX0CyAk%2BgBLAqtcuJpSLRF7GGr0DHl%2FCiZJZMkmyS31WxOs4xms98k%2BqIth0FnTlomEcJnJUMUT%2FA2Kc%2BCPgvVCPU4rr5%2BASH9WlXlpPyxr0i0RgTrvLKNVth3YPdgnwSHX7v7nBycMzSOgzFpgmbKaiGFez5CPe0xRtPUj%2F45NQdDiptVgNHhMnvh6Lgk9rqeFKPLVvEF%2B3mXod893%2Fau1FLw52tSDB53zI2jw0Q0k3aAUhNyRAfKkWhfBgE%2FeyZFK8B%2B4Jf3Wkp93FhgzgfobA%2FBtfj%2FU97uOxcUmqEGPiEHJ3fNnRvdGWYFhgLCiXFHipe4Lok30qexg%2Faa8EZhnPJA7cehvkdtm1Bb4P6wyjKFRlt3Dvg9PcWrR%2B%2Fa8c%2FCy3%2B6%2BAs%3D

The deflated/encoded AuthnRequest is then sent via https to the identity provider along with the Relay State (the URL on my service provider that will handle the response):

1
https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle?SAMLRequest=nVPRbpswFH3vVyC%2FJxBClM4KSFmqaZG6jSWsD3sz5tJYMrbna5r072fTtIu0ikp54eFyOPfccw4rZJ00dN27g9rBnx7QRdGpkwrp8CYnvVVUMxRIFesAqeN0v%2F52T9NpQo3VTnMtyc32LidZfcubhKWQtBmH%2Bad5yhawqJc1a1iatstmOa%2BX0CyAk%2BgBLAqtcuJpSLRF7GGr0DHl%2FCiZJZMkmyS31WxOs4xms98k%2BqIth0FnTlomEcJnJUMUT%2FA2Kc%2BCPgvVCPU4rr5%2BASH9WlXlpPyxr0i0RgTrvLKNVth3YPdgnwSHX7v7nBycMzSOgzFpgmbKaiGFez5CPe0xRtPUj%2F45NQdDiptVgNHhMnvh6Lgk9rqeFKPLVvEF%2B3mXod893%2Fau1FLw52tSDB53zI2jw0Q0k3aAUhNyRAfKkWhfBgE%2FeyZFK8B%2B4Jf3Wkp93FhgzgfobA%2FBtfj%2FU97uOxcUmqEGPiEHJ3fNnRvdGWYFhgLCiXFHipe4Lok30qexg%2Faa8EZhnPJA7cehvkdtm1Bb4P6wyjKFRlt3Dvg9PcWrR%2B%2Fa8c%2FCy3%2B6%2BAs%3D&RelayState=http%3A%2F%2Fsaml20sp.abilityweb.us%2Fspdbg%2Fhome.php

The Identify provider processes this request and handles the authentication. Upon successful authentication, it sends back a base64 encoded response:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
cHJvdG9jb2wiIElEPSJzMmY5ODM3OWIwODNmODMxN2Y2MTQzOGNkM2JkMjZmNTk2MmE0MjUyNzMi
IEluUmVzcG9uc2VUbz0iNGI4Y2QwYTJlMGY0Y2UzOTMyYTVlNWI3YmFkYTIyZjdkNzNiN2VkNWVj
IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMC0wNC0wOFQxMzo0NDo1NVoiIERlc3Rp
bmF0aW9uPSJodHRwOi8vc2FtbDIwc3AuYWJpbGl0eXdlYi51cy9zcGRiZy9zcC5waHAiPjxzYW1s
Oklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9u
Ij5odHRwOi8vaWRwLnNzb2NpcmNsZS5jb208L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXMgeG1s
bnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+CjxzYW1scDpT
dGF0dXNDb2RlICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3Rv
Y29sIgpWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj4K
PC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6
c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InMyZWQwMmVk
NDM3NDIyNGMxZTI2ODRiYTFkOGJlY2EwYjAwZTE5NzA4OCIgSXNzdWVJbnN0YW50PSIyMDEwLTA0
LTA4VDEzOjQ0OjU1WiIgVmVyc2lvbj0iMi4wIj4KPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuc3Nv
Y2lyY2xlLmNvbTwvc2FtbDpJc3N1ZXI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5v
cmcvMjAwMC8wOS94bWxkc2lnIyI+CjxTaWduZWRJbmZvPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhv
ZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8
U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxk
c2lnI3JzYS1zaGExIi8+CjxSZWZlcmVuY2UgVVJJPSIjczJlZDAyZWQ0Mzc0MjI0YzFlMjY4NGJh
MWQ4YmVjYTBiMDBlMTk3MDg4Ij4KPFRyYW5zZm9ybXM+CjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo
dHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8
VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMx
NG4jIi8+CjwvVHJhbnNmb3Jtcz4KPERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cu
dzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CjxEaWdlc3RWYWx1ZT5GVjZOSEZ1RGJhcUN3
S0xUWS9jS2xKbzI1a3c9PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U+CjwvU2lnbmVkSW5mbz4K
PFNpZ25hdHVyZVZhbHVlPgpoS005ZnZkNDQ5UzM5ekNzeElRTU9KOGZQMDZ3OWtQN2tpa2xqdk1w
RzVKd1BObUp5OUZweWJVM3k4NFd5VlkzMHVSVGRZaGVhUnA1CmdhQ3JLZHdjTGFiVjI1TjIzZzM5
ZkZIc2FsdHlyU1k1VUJ3NE5jRm5rZHFndmZPaEJxT2NVcG9VY21jYXhrNUNuMktKanVNei9qWnAK
OXFYR1RnS3NqTmo1YlZsc2FTYz0KPC9TaWduYXR1cmVWYWx1ZT4KPEtleUluZm8+CjxYNTA5RGF0
YT4KPFg1MDlDZXJ0aWZpY2F0ZT4KTUlJQjhUQ0NBVnFnQXdJQkFnSUZBSXh3Wm5Jd0RRWUpLb1pJ
aHZjTkFRRUVCUUF3TGpFTE1Ba0dBMVVFQmhNQ1JFVXhFakFRQmdOVgpCQW9UQ1ZOVFQwTnBjbU5z
WlRFTE1Ba0dBMVVFQXhNQ1EwRXdIaGNOTURrd01qSXlNVFV3TkRJMFdoY05NVEV3TlRJeU1UVXdO
REkwCldqQkxNUXN3Q1FZRFZRUUdFd0pFUlRFU01CQUdBMVVFQ2hNSlUxTlBRMmx5WTJ4bE1Rd3dD
Z1lEVlFRTEV3TnBaSEF4R2pBWUJnTlYKQkFNVEVXbGtjQzV6YzI5amFYSmpiR1V1WTI5dE1JR2ZN
QTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2J6RFJrdWRDLwphQzJnTXFSVlZhTGRQ
SkpFd3BGQjRvNzFmUjVibk5kMm9jbm5OekovVzlDb0Nhcmd6S3grRUo0Tm0zdldtWC9JWlJDRnZy
dnk5Qzc4CmZQMWNtdDZTYTA5MUs5bHVhTUF5V243b0M4aC9ZQlhIN3JCNDJ0ZHZXTFk0S2w5Vkp5
NlVDY2x2YXN5cmZLeCtTUjRLVTZ6Q3NNNjIKMkt2cDV3VzY3UUlEQVFBQk1BMEdDU3FHU0liM0RR
RUJCQVVBQTRHQkFHeWF5ZGZKSERrbTc3QzM5Z3E5YkJiN09xSzhPWEVVVGJJTQpwOFBESlp6SWY5
UWtwa0U3Z0hHY1djdFJLaTdmTmRPTnVsYzVrbjJLMm5idkNHcmJXc1dRdnIvREEwYmprQnJLOE9l
V3BSaExlN2ZsCitKVWdzRXJNY0RJelJUbWpOcFp6VVpwK1dFU1JIVjFqM1NJY2ZZNHRKTTJ1TXQ0
U2MvYWZWbmw1UDZ3TAo8L1g1MDlDZXJ0aWZpY2F0ZT4KPC9YNTA5RGF0YT4KPC9LZXlJbmZvPgo8
L1NpZ25hdHVyZT48c2FtbDpTdWJqZWN0Pgo8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6
bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDpwZXJzaXN0ZW50IiBOYW1lUXVhbGlmaWVy
PSJodHRwOi8vaWRwLnNzb2NpcmNsZS5jb20iIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NhbWwy
MHNwLmFiaWxpdHl3ZWIudXMiPlhZYTdpekdxdDcwUlJ1UlRzVytUbjZ5TXNtdU48L3NhbWw6TmFt
ZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6
U0FNTDoyLjA6Y206YmVhcmVyIj4KPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNw
b25zZVRvPSI0YjhjZDBhMmUwZjRjZTM5MzJhNWU1YjdiYWRhMjJmN2Q3M2I3ZWQ1ZWMiIE5vdE9u
T3JBZnRlcj0iMjAxMC0wNC0wOFQxMzo1NDo1NVoiIFJlY2lwaWVudD0iaHR0cDovL3NhbWwyMHNw
LmFiaWxpdHl3ZWIudXMvc3BkYmcvc3AucGhwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+
Cjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA0LTA4VDEz
OjM0OjU1WiIgTm90T25PckFmdGVyPSIyMDEwLTA0LTA4VDEzOjU0OjU1WiI+CjxzYW1sOkF1ZGll
bmNlUmVzdHJpY3Rpb24+CjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zYW1sMjBzcC5hYmlsaXR5d2Vi
LnVzPC9zYW1sOkF1ZGllbmNlPgo8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4KPC9zYW1sOkNv
bmRpdGlvbnM+CjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0wNC0wOFQx
Mzo0NDo1NFoiIFNlc3Npb25JbmRleD0iczJhOWZiN2FkNjIzYzZhYTJmYjVkNjU3ZjE1YTgwNTVh
OGJiZTRlMDA0Ij48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+
dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRU
cmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48
L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

The string is decoded by the service provider into the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="s2f98379b083f8317f61438cd3bd26f5962a425273" InResponseTo="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec"
  Version="2.0" IssueInstant="2010-04-08T13:44:55Z" Destination="http://saml20sp.abilityweb.us/spdbg/sp.php">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.ssocircle.com
  </saml:Issuer>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      Value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="s2ed02ed4374224c1e2684ba1d8beca0b00e197088" IssueInstant="2010-04-08T13:44:55Z"
    Version="2.0">
    <saml:Issuer>http://idp.ssocircle.com</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <Reference URI="#s2ed02ed4374224c1e2684ba1d8beca0b00e197088">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          <DigestValue>FV6NHFuDbaqCwKLTY/cKlJo25kw=</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>
        hKM9fvd449S39zCsxIQMOJ8fP06w9kP7kikljvMpG5JwPNmJy9FpybU3y84WyVY30uRTdYheaRp5
        gaCrKdwcLabV25N23g39fFHsaltyrSY5UBw4NcFnkdqgvfOhBqOcUpoUcmcaxk5Cn2KJjuMz/jZp
        9qXGTgKsjNj5bVlsaSc=
</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>
            MIIB8TCCAVqgAwIBAgIFAIxwZnIwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV
            BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMDkwMjIyMTUwNDI0WhcNMTEwNTIyMTUwNDI0
            WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV
            BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/
            aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78
            fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62
            2Kvp5wW67QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAGyaydfJHDkm77C39gq9bBb7OqK8OXEUTbIM
            p8PDJZzIf9QkpkE7gHGcWctRKi7fNdONulc5kn2K2nbvCGrbWsWQvr/DA0bjkBrK8OeWpRhLe7fl
            +JUgsErMcDIzRTmjNpZzUZp+WESRHV1j3SIcfY4tJM2uMt4Sc/afVnl5P6wL
          </X509Certificate>
        </X509Data>
      </KeyInfo>
    </Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        NameQualifier="http://idp.ssocircle.com" SPNameQualifier="http://saml20sp.abilityweb.us">XYa7izGqt70RRuRTsW+Tn6yMsmuN
      </saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData
          InResponseTo="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec"
          NotOnOrAfter="2010-04-08T13:54:55Z" Recipient="http://saml20sp.abilityweb.us/spdbg/sp.php" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2010-04-08T13:34:55Z"
      NotOnOrAfter="2010-04-08T13:54:55Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://saml20sp.abilityweb.us</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2010-04-08T13:44:54Z"
      SessionIndex="s2a9fb7ad623c6aa2fb5d657f15a8055a8bbe4e004">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>

When the user wants to logout, I generate the following:

1
2
3
4
5
6
7
8
9
10
11
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="aaad4e0f4e4f50a3ac594217d95af479f274183578" Version="2.0"
  IssueInstant="2010-04-08T13:45:04Z">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://saml20sp.abilityweb.us
  </saml:Issuer>
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    NameQualifier="http://idp.ssocircle.com" SPNameQualifier="http://saml20sp.abilityweb.us"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">XYa7izGqt70RRuRTsW+Tn6yMsmuN</saml:NameID>
  <samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">s2a9fb7ad623c6aa2fb5d657f15a8055a8bbe4e004
  </samlp:SessionIndex>
</samlp:LogoutRequest>

That request is first DEFLATED, then Base64 encoded, and then URL Encoded to be:

1
nZJfa8IwFMW%2FSsnrsKY1sTZoYSAbgsqmsn9vt22yBdqk9qbM7dOvVQcK4oMveTi55%2F5Obu4YoSwqMbeftnEruW0kOm9XFgbF%2FmZCmtoIC6hRGCglCpeJ9f1iLkKfiqq2zma2IN5sOiEAkDNJFZNMcQoDyHjMwiDKYw6KRbEKIxaMBjwaEe9F1qitmZC2TetGbOTMoAPjWokGtEdZj442wUAwLij7IIk37gKJfWl9EvF6QkCUtWtJJPlyrhL9fucJKVY%2BpLrQ7udbpn6D4%2F5J9%2BSAWrbdZtMbUF7nfG6g0ErLekKOZJ1XPqLNdJ0V0s9sSbz10%2BXSyyGJ92DrEtz1HJ2i857al4qqGzQ6aRxJ3t4h0r%2BPWxfR1apZbfD1bmOGPwssm%2BVxAIc3HwZQibXE7pdmJpe7G7YiwRBilUaQD8NBNgQIVcrzIY9UwGFEeXukqWxXhrID%2FpyY%2FItn25n8AQ%3D%3D

Which is then sent over https via:

1
https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle?SAMLRequest=nZJfa8IwFMW%2FSsnrsKY1sTZoYSAbgsqmsn9vt22yBdqk9qbM7dOvVQcK4oMveTi55%2F5Obu4YoSwqMbeftnEruW0kOm9XFgbF%2FmZCmtoIC6hRGCglCpeJ9f1iLkKfiqq2zma2IN5sOiEAkDNJFZNMcQoDyHjMwiDKYw6KRbEKIxaMBjwaEe9F1qitmZC2TetGbOTMoAPjWokGtEdZj442wUAwLij7IIk37gKJfWl9EvF6QkCUtWtJJPlyrhL9fucJKVY%2BpLrQ7udbpn6D4%2F5J9%2BSAWrbdZtMbUF7nfG6g0ErLekKOZJ1XPqLNdJ0V0s9sSbz10%2BXSyyGJ92DrEtz1HJ2i857al4qqGzQ6aRxJ3t4h0r%2BPWxfR1apZbfD1bmOGPwssm%2BVxAIc3HwZQibXE7pdmJpe7G7YiwRBilUaQD8NBNgQIVcrzIY9UwGFEeXukqWxXhrID%2FpyY%2FItn25n8AQ%3D%3D&RelayState=http%3A%2F%2Fsaml20sp.abilityweb.us%2Fspdbg%2Fhome.php

Where the Identity Provider processed the logout and returned us to our RelayState url.